At the request of Congress, the Federal Trade Commission will delay the enforcement of the "Red Flags Rule" until June 1, 2010, for financial institutions and creditors subject to enforcement by the FTC.
The rule, mandated under the Fair and Accurate Credit Transactions Act, calls for the FTC and other agencies to develop regulations requiring "creditors" and "financial institutions" to address the risk of identity theft. Physicians, hospitals and any other healthcare providers who bill their patients or allow patients to make payments over time – essentially extending a line of credit – must comply with the rule.
Under the Red Flags Rule, healthcare providers who provide "covered accounts" must develop and implement written identity theft prevention programs to help identify, detect and respond to patterns, practices or specific activities – known as "red flags" – that could indicate identity theft.
Leaders of the American Medical Association said they will try to convince the FTC and Congress that physicians should not be included in the program. AMA officials said the FTC and Congress should republish the rule with sufficient time to allow them to make objections.
This is the second time the FTC has delayed enforcement of the rule. The first delay pushed enforcement back from Nov. 1, 2008 to Nov. 1, 2009.
FTC officials said they will continue to provide guidance on how to comply with the rule through its dedicated Red Flags Rule Web site. The commission has also published a compliance guide for business and created a template that enables low-risk entities to create an identity theft program with an easy-to-use online form.